INFORMATION ON THE TREATMENT OF PERSONAL DATA PURSUANT TO ARTICLES 13 AND 14 OF EU REGULATION 2016/679 (GDPR)

Pursuant to EU Regulation 679/2016 ("GDPR"), we provide below the information regarding the processing of personal data of natural persons operating in various capacities in the Customer structure (business owner, shareholders and administrators, employees and collaborators , ...), in relation to contractual relationships. Furthermore, before the conclusion of the contract, the processing of personal data could also pursue pre-contractual purposes, such as responding to specific requests from the customer concerned.

DATA CONTROLLER The Data Controller of personal data is IMPIANTI NOVOPAC SRL (Tax Code / VAT: IT00962900064) - based in Via dell’Automobile 41, 15121 Alessandria - PEC: novopac@acd.pec
"TYPES OF DATA OBJECT OF THE TREATMENT" "The Data Controller will process the personal data (as defined in Article 4 (1) of the GDPR) which will be provided by the Data Subject, those that will be contained in the deeds and documents requested by the Data Controller, as well as those that will be acquired from public administrations, at the Judicial authorities and with other bodies and private subjects, within the limits in which this is imposed or permitted by national and community laws. By way of example and not limited to, the Data Controller may find itself processing the following types / categories of personal data: identification data; contact details and addresses, including digital ones; family, economic, financial, patrimonial and fiscal situation; location data; characteristic elements of physical, physiological, economic, cultural and social identity; assets owned or possessed; judicial data other than criminal convictions and offenses; data relating to habits, lifestyle and behavior; The Data Controller may be dealing with the particular categories of personal data referred to in Article 9 of the GDPR, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Finally, the Data Controller may find itself processing the data referred to in Article 10 of the GDPR, or those relating to criminal convictions and crimes or related security measures."
PURPOSE OF THE TREATMENT "Personal data, however acquired by the Data Controller, will be processed for the following purposes: 1. Purposes strictly connected and instrumental to the establishment, management, including administrative, and execution of pre-contractual and contractual relationships. By way of example and not limited to, and for greater transparency, the primary purposes of the processing connected to the fulfillment of the contract (in each of its phases) may be in the specific purposes of: sale of goods and provision of the services requested, supply of any products related services, maintenance and technical assistance, management of any complaints and / or disputes, prevention / repression of fraud and any illegal activity, archiving, use of personal data to make communications relating to the performance of the contractual relationship established, detection of the degree of satisfaction on the quality of the products / services rendered, offer, promotion and / or sale of products and services carried out through traditional communication methods or automated systems, etc .; 2. Economic management - fulfillment of tax or accounting obligations, customer management (administration of contracts, orders, transport, invoices; selections according to needs), accounting or treasury management, electronic payment instruments (credit and debit cards ; electronic money), management of electronic invoicing, provision of loans; 3. Disclosure of the Data Controller's collaboration and commercial relationships through the preparation of paper material (brochures, flyers, ...) or through the website or "social" communication tools to illustrate their activities and their functioning, facilitate access to its services, promoting knowledge, promoting broad and in-depth knowledge on issues of significant public and social interest, promoting its image, as well as that of Italy, in Europe and in the world, giving knowledge and visibility to projects and achievements of local importance , regional, national and international; 4. Privacy - Activities related to the application of the legislation on the protection of personal data in fulfillment of obligations established by laws, regulations and community legislation, or in execution of provisions issued by authorities entitled to do so; 5. Lawyer - Activities relating to legal advice, as well as the legal aid and defense of the Owner as well as advice and insurance coverage in case of civil liability towards third parties of the Owner; It should be noted that, if the Data Controller intends to further process personal data for a purpose other than that for which they were collected, before such further processing it will provide the interested party with information regarding this different purpose and any further relevant information."
"CONDITIONS OF LAWFULNESS OF THE TREATMENT" "Pursuant to and for the purposes of Article 6 of the GDPR, we inform you that the legal basis in support of the processing of personal data is generally represented by the fact that the processing itself is necessary for the execution of a contract to which the customer is a party. o the execution of pre-contractual measures adopted at the request of the same. However, situations may arise in which the processing is necessary to fulfill a legal obligation to which the Data Controller is subject (e.g. civil, tax and social security obligations). In the case of actions to assert or defend a right in court, the legal basis of the processing is represented by the legitimate interest of the Data Controller. Where this is essential, the processing will take place in accordance with and within the limits in which the interested party has given consent to the processing of their personal data for one or more specific purposes. The forms used by the Data Controller highlight the types of data and processing operations that require the consent of the interested party. The processing of particular categories of personal data referred to in Article 9 of the GDPR will be limited to the cases in which the interested party has given his consent; the processing is necessary to protect a vital interest of the interested party or of another natural person if the interested party is physically or legally unable to give his consent; concerns personal data made manifestly public by the interested party; it is necessary to ascertain, exercise or defend a right in court or whenever the judicial authorities exercise their judicial functions. The processing of personal data relating to criminal convictions and offenses referred to in Article 10 of the GDPR will only take place where it is necessary for reasons of significant public interest on the basis of national or Community law or is authorized by a law or, in the cases provided for. by law, regulation, in accordance with the provisions of article 2-octies of Legislative Decree 196/2003 (Privacy Code)."
"OPTIONAL COMPULSORY OF THE CONFERMENT" "The provision of data is generally mandatory as it is necessary for the execution of a contract or pre-contractual measures. The optional and mandatory nature of the individual data or categories of data requested from the interested party will be specified from time to time during the collection phase through the use of suitable identification systems within the forms in use. The interested party is always responsible for the accuracy and updating of the data provided. If the interested party provides personal information that is not necessary or useful for the pursuit of the aforementioned purposes on his own initiative, the same will not be used except to the extent necessary to carry out the relative evaluation and the deeds and documents containing them will returned or destroyed."
TREATMENT "The main processing operations that will be carried out with reference to personal data are the collection, registration, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination, comparison or interconnection. On some occasions the data may be subject to cancellation or destruction. The processing usually takes place within the operational structures of the Data Controller or also at the external parties referred to in the following paragraph. The processing of personal data will be carried out both with manual and IT and telematic tools, with organization and processing logics strictly related to the purposes themselves and in any case in such a way as to guarantee the security, integrity and confidentiality of the data in compliance with organizational measures. , physical and logical provided by the provisions in force. The activation of an automated decision-making process is excluded."
"COMMUNICATION AND DIFFUSION OF PERSONAL DATA" "Personal data may be shared with: 1) natural persons authorized by the Data Controller to process personal data subject to specific and specific instructions on the methods and purposes of the processing (eg employees, collaborators, IT system administrators); 2) the following third parties, some of which act as data controllers while others act as independent data controllers or joint controllers: a) freelance consultants registered in a specific register (accountants, lawyers, notaries, labor consultants) - for the acquisition of opinions on the correct methods of application of the legislation or for the performance of activities reserved for them by law (legal patronage, judicial assistance, stipulation of contracts, ...); b) contracting companies in case of assignment of services, even partial, to external companies, including the assistance and maintenance of the technological structures used by the Owner (by way of example, cloud services, video surveillance, hw-sw, ...); c) credit institutions and insurance companies; For a complete and updated list of subjects external to the Data Controller who process personal data, send a request to the e-mail address indicated above. 3) subjects, bodies or authorities to whom it is mandatory to communicate your personal data by virtue of the provisions of the law or orders of the authorities (by way of example, public administrations referred to in art. 2, paragraph 1 of Legislative Decree 165/2001, Revenue Agency, Prefecture, Single Desk for Immigration, Employment Centers, Regions, Judicial Authorities, Local Health Authorities, Area Authorities, Independent Authorities, ...). The Data Controller guarantees the utmost care so that the communication of personal data to the aforementioned recipients only concerns the data strictly necessary for the achievement of the specific purposes for which they are intended. Personal data will not be spread in any way."
TRANSFER OF DATA OUTSIDE THE EU The Data Controller does not transfer personal data outside the European Economic Area. However, if this is indispensable for the pursuit of the aforementioned purposes, this transfer will take place only in the event of the existence of international agreements or adequacy decisions by the Commission (pursuant to Article 45 of the GDPR) or in the context of the stipulation of binding rules of company ("Binding Corporate Rules" or "BCR" pursuant to art. 47 of the GDPR) which guarantee an adequate degree of protection for the personal data communicated or transferred.
STORAGE OF THE PERSONAL DATA "The data will be kept for the entire duration of the contractual relationship and in any case in compliance with the conservation terms imposed by law. In the event of a dispute, the data will be kept until the sentence that defined the relevant judgment becomes final. This is without prejudice to compliance with specific legislative and / or regulatory provisions that impose reduced retention times in relation to specific processing of personal data (by way of example, see the Provisions of the Guarantor respectively of 01.03.2007 containing guidelines by e-mail and internet and of 08.10.2010 in relation to video surveillance systems)"
RIGHTS OF THE INTERESTED PARTY "The interested party is entitled to the rights referred to in Articles from 15 to 20 of the GDPR. By way of example, it may: A) obtain confirmation as to whether or not personal data concerning him is being processed and, in this case, to obtain access to personal data and the following information: i. the purposes and methods of the processing; ii. the identification details of the Data Controller and any managers; iii. the origin of the personal data; iv. the categories of personal data in question; v. of the logic applied in case of treatment carried out with the aid of electronic instruments; you. the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular if they are recipients of third countries or international organizations; vii. when possible, the retention period of the personal data provided or, if not possible, the criteria used to determine this period; B) obtain the correction of inaccurate personal data concerning him as well as, taking into account the purposes of the processing, the right to obtain the integration of incomplete personal data, also by providing an additional declaration; C) obtain the cancellation of personal data concerning him if one of the following reasons exists: I. the personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed; II. the data is unlawfully processed; III. has revoked the consent on the basis of which the Data Controller had the right to process his data and there is no other legal basis that allows the Data Controller to perform the processing; IV. has opposed the processing activity and there is no overriding legitimate reason; V. personal data must be deleted to fulfill a legal obligation. Please note that the right to erasure cannot be exercised to the extent that the processing is necessary for the fulfillment of a legal obligation or for the performance of a task carried out in the public interest or in the exercise of public authority vested in the Data controller or even necessary for archiving purposes in the public interest, for scientific or historical research or for statistical purposes. D) obtain from the Data Controller the limitation of the processing when one of the following hypotheses occurs: i. for the period necessary for the Data Controller to verify the accuracy of such personal data concerning him whose accuracy he has contested; ii. in case of unlawful processing of your personal data; iii. even if your personal data are not necessary for the purposes of the processing, in any case it needs to be processed for the assessment, exercise or defense of a right in court; iv. for the period necessary to verify the possible prevalence of the legitimate reasons of the Data Controller with respect to his request for opposition to the processing; E) to obtain certification that the operations relating to the rectification, cancellation and limitation of data have been brought to the attention, also as regards their content, of those to whom the data have been communicated or disseminated, except in the case in which this fulfillment proves impossible or involves the use of means manifestly disproportionate to the protected right; F) receive the personal data that he has provided or created - excluding the judgments created by the Data Controller and / or by persons authorized to process the data in the name and on behalf of the Data Controller - in a structured format, commonly used and readable by the device automatic and request their transmission to another holder, if technically feasible."
"RIGHT TO OPPOSITION" "The interested party has the right to object at any time, for reasons connected to his particular situation, to the processing of personal data concerning him if it is necessary for the pursuit of the legitimate interest of the data controller or third parties. In this case, the Data Controller refrains from further processing the personal data unless he demonstrates the existence of compelling legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the interested party or for the verification, exercise or defense of a right in court."
"RIGHT TO REVOCATION OF CONSENT" In the event that consent is required for the processing of personal data, each interested party may also revoke the consent already given at any time, without prejudice to the lawfulness of the processing carried out prior to the withdrawal of consent.
"EXERCISE OF RIGHTS" Requests to exercise the rights recognized to the interested party must be addressed in writing to the certified email address indicated above.
RIGHT TO PROPOSE A COMPLAINT TO THE SUPERVISORY AUTHORITY "Each interested party may lodge a complaint with the Guarantor for the Protection of Personal Data or with another supervisory authority - competent by virtue of the provisions of the GDPR - in the event that it considers that the rights it holds under the GDPR have been violated. The exercise of the rights of the interested party is free."
CHANGES TO THE INFORMATION "This information is published and kept updated on the Data Controller's website. The Owner reserves the right to modify, update, add or remove parts of this information, at its discretion and at any time. The data subject is required to periodically check for any changes. In order to facilitate this verification, the information will contain an indication of the approved version."




Regulatory sources and further information

For your convenience, we report the web links where you can find more information (including legal ones) and news:

a) text of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95 / 46 / EC (General Data Protection Regulation) (Text with EEA relevance)
https://eur-lex.europa.eu/legal-content/IT/TXT/HTML/?uri=CELEX:32016R0679&from=IT

b) website of the Italian Data Protection Authority
http://www.garanteprivacy.it

c) website of the European Data Protection Supervisor (EDPS)
https://europa.eu/european-union/about-eu/institutions-bodies/european-data-protection-supervisor_it

d) website of the European Data Protection Board (EDPB)
https://edpb.europa.eu/edpb_it